Krebs on Security

In-depth security news and investigation

Would You Use This ATM?

One basic tenet of computer security is this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.

Now let’s have a closer look at the back of this machine to see what we’re dealing with:

Need to get online in a jiffy? No problem, this ATM has plenty of network jacks for you to plug into. What could go wrong?

Daniel Battisto, the longtime KrebsOnSecurity reader who alerted me to this disaster waiting to happen, summed up my thoughts on it pretty well in an email.

“I’d like to assume, for the sake of sanity, that the admin who created this setup knows that Cisco security is broken relatively simple once physical access is gained,” said Battisto, a physical and IT security professional. “I’d also like to assume that all unused interfaces are shutdown, and port-security has been configured on the interfaces in use. I’d also like to assume that the admin established a good console login.”

While it’s impossible to test the security of this setup without tampering with the devices, “considering that this was left like this in the front vestibule of a grocery store with no cameras around AND the console cable still attached, my above assumptions are likely invalid,” Battisto observed.

“In my experience, IT departments often overlook basic security practices, and double down on the oversight by not implementing proper physical security controls (you’d be surprised, maybe, at the number of server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors),” he said.

If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.

If you liked this piece, check out my entire series on skimming devices, All About Skimmers.

This entry was posted on Thursday, July 28th, 2016 at 3:31 pm and is filed under All About Skimmers.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

117 comments

The only ATM I ever use is at the bank or one of the same banks’ ATM’s at a convenience chain (Wawa) because there is no fee and the machines are in a high traffic area so sticking something on them would be observed quickly and the stores are full of video cameras. When I see one of those stand-alone in a remote spot ATM, usually just plugged into a telephone jack (one of my customers has this type in his laundromats) I not only steer clear because of the fees but also the security at the site.

I believe we have candy and soda machines at work now that take credit/debit cards, also with an antenna on top of the machine. I haven’t investigated further but would not use plastic for a soda or a bag of cheese doodles in the first place.

The ATM system is broken in the first place if it relies on that cisco *ROUTER* do do anything but forward in the first place.

If this setup is as vulnerable as this rant implies then you shouldn’t use any ATM what so ever. That would mean that the communication is not encrypted (nor authenticated) when it leaves the ATM. And if any ATM had that property then you can’t trust any of them.

Ha ! Even better, a crook can pilfer the goods on the top of the unit and do a sale via a trunk or ebay. Unless this stuff is hardware mounted to the ATM, its free money for someone, and the ATM is useless.

There are a lot of Mom and Pop owned ATM’s out there with little to no upgrades to the device. Add in the vulnerabilities and the additional ports avaliable to plug in a sniffer and listen, or simply crack the unit and own any data by sitting nearby and waiting for the tech to mash in the username and password to reconfigure, as some one else has the data needed to monitor any traffic without being detected.

I have to assume – that the stuff was owner supplied and not a crook attempting to simply have people overlook a completely out in the open heist.

The guy who sold the ATM to the grocery store owner now:
“Ma friiieeennd, this ATM is total legit ma frent, it workt as we advertised it to you in your contrakt my frent. when your customer put kart in machine, machine says you heff zero, because trust me maam with dis antena it is prety damn fast accurate, you can be sure you have zero, this is exact working machine it tells you how much you heff before sending your money obivously.”
ATM builders are the first crooks mark my words.

I think everyone missed one key point…using good security practices, they have employed a layered defence model. see the sign placed on top to block your view for the router and antenna.
They must read Kerbs!

Well I live in a small town and the ONLY ATM is in the back corner of a Shop’N Rob surrounded by mountains of pop cans and sundry dreck. The ceiling is also falling down tiles. And they charge a fee even if you have the bank brand card but it is used a lot. The only bank (Wells Fargo) will not install a ATM for some reason. The local dollar store, seeing a good thing, charges a fee for cash back purchases. So we have to go 35 miles to ValMort for cash. Be thankful you have choice!